You can configure the AllDBConnector class to use both an
Oracle wallet SSL certificate and a user-provided password to authenticate a user to establish a
database connection for a utility.
With this setup, the Oracle database server uses an
SSL certificate in the Oracle wallet on the server tier to authenticate itself to the utility client
through an encrypted channel. The AllDBConnector class then validates the SSL
certificate on the client tier and authenticates the user through the user name and password. The
database password from the user does not need to be sent from the client tier to the server tier.
Only the SSL certificate from the server tier needs to be sent between the server and the
client.
About this task
To complete the following steps, you must run the Oracle orapki and Listener Control
utilities, and update Oracle configuration files. For more information about configuring the Oracle
files, running these Oracle utilities, including any updated usage syntax, see the Oracle Documentation.
Procedure
Configure your database server to use an Oracle Wallet that includes an SSL certificate
for authentication.
-
Create an Oracle Wallet with the Oracle orapki utility.
In a command-line utility, run the following command from Oracle
bin
directory:
orapki wallet create -wallet wallet_directory -auto_login -pwd wallet_password
Where
For example,
orapki wallet create -wallet c:\server.wallet -auto_login -pwd s3rv3rp45s
-
Install the certificate that is issued by the certificate authority.
For more information about creating a certificate request and installing the certificate, see the
Oracle Documentation.
As an example for testing purposes, add a self-signed certificate to your Oracle Wallet for
use as the database server certificate. In a command-line utility, run the following command from
Oracle
bin directory:
orapki wallet add -wallet wallet_directory -dn "dn_name" -keysize 1024 -self_signed
-validity 365 -user_cert -trusted_cert -pwd wallet_password
Where
- wallet_directory is the directory where you want to create the Wallet. For
example,
c:\server.wallet
.
- dn_name is the distinguished name of the certificate owner, which is the
database server name. For example,
CN=server
.
- wallet_password is the password that you want to set for the Wallet. For
example,
s3rv3rp45s
.
For example,
orapki wallet add -wallet c:\server.wallet -dn "CN=server" -keysize 1024 -self_signed
-validity 365 -user_cert -trusted_cert -pwd s3rv3rp45s
-
Export the SSL certificate for the database server.
In a command-line utility, run the following command from Oracle
bin
directory:
orapki wallet export -wallet wallet_directory -dn "dn_name"
-cert certificate_file -pwd wallet_password
Where
- wallet_directory is the directory where you want to create the Wallet. For
example,
c:\server.wallet
.
- dn_name is the distinguished name of the certificate owner, which is the
database server name. For example,
CN=server
.
- certificate_file is the path and name of the file that is to include the
certificate that you are exporting. For example,
c:\server.cert
.
- wallet_password is the password that you want to set for the Wallet. For
example,
s3rv3rp45s
.
For example,
orapki wallet export -wallet c:\server.wallet -dn "CN=server" -cert c:\server.cert -pwd s3rv3rp45s
-
Shut down your Oracle database by running the following command from Oracle
bin directory:
sqlplus / as sysdba
shutdown immediate;
quit;
-
Stop the Oracle listener with the Oracle Listener Control utility by running the following
command from Oracle bin directory:
-
Update the Oracle listener listener.ora configuration file.
-
Go to the following directory and open the listener.ora file for
editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
Where
ORACLE_HOME is the root directory for your Oracle database. For
example,
C:\ORACLE\ORA92
-
Update the listener parameters to match the settings for your system.
When you are updating the file, ensure that you update the parameters in the following
sections:
SID_LIST_LISTENER
LISTENER
WALLET_LOCATION
SSL_CLIENT_AUTHENTICATION
For example, your updated keys can resemble the following code
snippet:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = WCS)
(SID_NAME = WCS)
(ORACLE_HOME = Oracle_installdir\dbhome_1)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = myhostname.mycompany.com)(PORT = 2484))
)
)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\server.wallet)
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
-
Update the Oracle sqlnet.ora configuration file.
-
Go to the following directory and open the sqlnet.ora file for
editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
Where
ORACLE_HOME is the root directory for your Oracle database. For
example,
C:\ORACLE\ORA92.
-
Update the configuration parameters to match the settings for your system.
When you are updating the file, ensure that you update the following parameters:
SQLNET.AUTHENTICATION_SERVICES
SSL_CLIENT_AUTHENTICATION
SSL_VERSION
NAMES.DIRECTORY_PATH
WALLET_LOCATION
For example, your parameters can resemble the following code
snippet:
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 3.0
NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\server.wallet)
)
)
-
Restart the Oracle listener by running the following command from Oracle
bin directory:
-
Start your Oracle database by running the following command from Oracle
bin directory:
sqlplus / as sysdba
startup;
quit;
Configure your utility client tier to include an Oracle Wallet, which includes the
appropriate SSL certificates.
Note: If the client tier where users run
HCL Commerce
utilities is the same as your database server tier, skip to step
15.
-
Create an Oracle Wallet with the orapki utility in your client environment.
For example, run the following command from Oracle
bin directory:
orapki wallet create -wallet c:\client.wallet -auto_login -pwd cl13ntp45s
-
Import the SSL certificate from your database server tier.
For example, in a command-line utility, run the following command from Oracle
bin directory:
orapki wallet add -wallet wallet_directory -trusted_cert
-cert certificate_file -pwd wallet_password
Where
- wallet_directory is the directory where you want to create the Wallet. For
example,
c:\client.wallet
.
- certificate_file is the path and name of the file that is to include the
certificate that you are exporting. For example,
c:\server.cert
.
- wallet_password is the password that you want to set for the Wallet. For
example,
cl13ntp45s
.
For example,
orapki wallet add -wallet c:\client.wallet -trusted_cert -cert c:\server.cert -pwd cl13ntp45s
- Optional:
If you are importing certificates from multiple servers, ensure that the certificates have
different distinguished names (DN).
-
Ensure that your Oracle Wallet is readable by the user or group that needs to invoke any
HCL Commerce utilities.
For example, the group that includes the WebSphere Application Server user.
-
Update the Oracle sqlnet.ora configuration file for your client.
-
Go to the following directory and open the sqlnet.ora file for
editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
Where
ORACLE_HOME is the root directory for your Oracle database. For
example,
C:\ORACLE\ORA92.
-
Update the configuration parameters to match the settings for your system.
When you are updating the file, ensure that you update the following parameters:
SQLNET.AUTHENTICATION_SERVICES
SSL_CLIENT_AUTHENTICATION
SSL_VERSION
NAMES.DIRECTORY_PATH
WALLET_LOCATION
For example, your parameters can resemble the following code
snippet:
SQLNET.AUTHENTICATION_SERVICES = (TCPS, BEQ, NTS)
SSL_VERSION = 3.0
NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = c:\client.wallet)
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
-
Update the Oracle tnsnames.ora configuration file.
-
Go to the following directory and open the tnsnames.ora file for
editing:
- ORACLE_HOME/network/admin
- ORACLE_HOME\network\admin
Where
ORACLE_HOME is the root directory for your Oracle database. For
example,
C:\ORACLE\ORA92.
-
Add a TNS entry to the tnsnames.ora file. The entry must point to your
database server.
For example, your configuration can resemble the following code
snippet:
WCS =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = myhostname.mycompany.com)(PORT = 2484))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = WCS)
)
)
Configure the AllDBConnector class configuration for establishing
a database connection for HCL Commerce utilities to use the certificate in the Oracle
Wallet.
-
Update the database connection configuration file for the AllDBConnector
class to ensure that HCL Commerce utilities can authenticate users with the Oracle
Wallet.
-
Go to the following directory and open the alldbconnector.xml
configuration file for editing.
- WCDE_installdir\WC\xml\config
-
Update the alldbconnector.xml file to include two overrides to configure
how utilities authenticate users.
In the first override configuration, you must configure the override for your local client
database. In the second override configuration, configure the connection override properties for
your production environment database. This second override configuration ensures that utilities can
use the SSL certificates to authenticate users when a utility, such as the stagingprop utility, must
connect to multiple databases.
Note: For the override property identifier,
oradestwallet
, a corresponding TNS entry, WCSDEST
, must exist in
the tnsnames.ora configuration file for your utility client
environment.
For more information about the properties that you can include in your
override configuration in the alldbconnector.xml file, see Database connection acquisition for utilities and Ant tasks.
- If your Oracle database driver type is a thin driver, your updated
AllDBConnector class configuration in the
alldbconnector.xml file can resemble the following code
snippet:
<oracle>
<override identifier="orasrcwallet">
<property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/>
<property name="oracle.net.tns_admin"
value="Oracle_installdir\dbhome_1\network\admin" scope="system" />
<property name="oracle.net.wallet_location"
value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" />
<property name="oracle.net.ssl_version" value="3.0" />
<property name="oracle.net.authentication_services" value="(TCPS)" />
<jdbcurl value="jdbc:oracle:thin:@wcs" />
<security providername="oracle.security.pki.OraclePKIProvider" />
<jar path="Oracle_installdir\dbhome_1\jlib\oraclepki.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_cert.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_core.jar" />
</override>
<override identifier="oradestwallet">
<property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/>
<property name="oracle.net.tns_admin"
value="Oracle_installdir\dbhome_1\network\admin" scope="system" />
<property name="oracle.net.wallet_location"
value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" />
<property name="oracle.net.ssl_version" value="3.0" />
<property name="oracle.net.authentication_services" value="(TCPS)" />
<jdbcurl value="jdbc:oracle:thin:@wcsdest" />
<security providername="oracle.security.pki.OraclePKIProvider" />
<jar path="Oracle_installdir\dbhome_1\jlib\oraclepki.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_cert.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_core.jar" />
</override>
</oracle>
- If your Oracle database driver type is a thick driver, your updated
AllDBConnector class configuration in the
alldbconnector.xml file can resemble the following code
snippet:
<oracle>
<override identifier="orasrcwallet">
<property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/>
<property name="oracle.net.wallet_location"
value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" />
<property name="oracle.net.ssl_version" value="3.0" />
<jdbcurl value="jdbc:oracle:oci:@wcs" />
<security providername="oracle.security.pki.OraclePKIProvider" />
<jar path="Oracle_installdir\dbhome_1\jlib\oraclepki.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_cert.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_core.jar" />
</override>
<override identifier="oradestwallet">
<property name="oracle.jdbc.J2EE13Compliant" type="java.lang.Boolean" value="true"/>
<property name="oracle.net.wallet_location"
value="(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=wallet_directory)))" />
<property name="oracle.net.ssl_version" value="3.0" />
<jdbcurl value="jdbc:oracle:oci:@wcsdest" />
<security providername="oracle.security.pki.OraclePKIProvider" />
<jar path="Oracle_installdir\dbhome_1\jlib\oraclepki.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_cert.jar" />
<jar path="Oracle_installdir\dbhome_1\jlib\osdt_core.jar" />
</override>
</oracle>
Where
- orasrcwallet is the identifier of the override configuration for your
authoring or staging environment.
- oradestwallet is the identifier of the override configuration for your
production environment.
- wallet_directory is the directory that includes the Wallet. For example,
c:\server.wallet
.
Results
Your HCL Commerce utilities are configured to authenticate users through an Oracle
Wallet. To use this authentication, users that are running an HCL Commerce utility can
continue to run the utility normally. Users do not need to change any of the parameters that they
define when they run a utility.